https://community.splunk.com/t5/Splunk-Search/How-to-edit-my-search-to-chart-a-trend-line-over-time/m-p/229989#M68150 <P>Like this:</P> <PRE><CODE> ... | timechart span=1m avg(eval(count/(LATEST-EARLIEST))) AS TPS </CODE></PRE> <P>Or this:</P> <PRE><CODE> ... | eval TPS=count/(LATEST-EARLIEST) | timechart span=1m avg(TPS) AS TPS </CODE></PRE> Mon, 27 Jun 2016 17:57:05 GMT woodcock 2016-06-27T17:57:05Z https://community.splunk.com/t5/Splunk-Search/How-to-edit-my-search-to-chart-a-trend-line-over-time/m-p/229988#M68149 <P>I am trying to use the below search and plot a graph for the <STRONG>TPS</STRONG> field.</P> <P>So, if I draw a chart with the TPS values over a day (duration) with a span of 1 min/5 mins, it would show a line graph over a day (duration) with the TPS value plotting over time.</P> <PRE><CODE> host=X source=Y.log "data available" | stats min(_time) as EARLIEST | appendcols [ search host=X source=Z.log 5.7_WOLFER | stats max(_time) as LATEST ] | appendcols [ search host=X source=Y | stats count(ITIM_ID) as count ] | eval TPS=count/(LATEST-EARLIEST) </CODE></PRE> <P>Tried to use timechart in the following way, but didn't work</P> <PRE><CODE> | timechart span=1m avg(eval(TPS=count/(LATEST-EARLIEST))) </CODE></PRE> <P><A href="https://answers.splunk.com/answers/390329/how-to-run-multiple-queries-at-once-with-calculati.html">https://answers.splunk.com/answers/390329/how-to-run-multiple-queries-at-once-with-calculati.html</A></P> Mon, 27 Jun 2016 17:25:08 GMT https://community.splunk.com/t5/Splunk-Search/How-to-edit-my-search-to-chart-a-trend-line-over-time/m-p/229988#M68149 koushiknandan 2016-06-27T17:25:08Z https://community.splunk.com/t5/Splunk-Search/How-to-edit-my-search-to-chart-a-trend-line-over-time/m-p/229989#M68150 <P>Like this:</P> <PRE><CODE> ... | timechart span=1m avg(eval(count/(LATEST-EARLIEST))) AS TPS </CODE></PRE> <P>Or this:</P> <PRE><CODE> ... | eval TPS=count/(LATEST-EARLIEST) | timechart span=1m avg(TPS) AS TPS </CODE></PRE> Mon, 27 Jun 2016 17:57:05 GMT https://community.splunk.com/t5/Splunk-Search/How-to-edit-my-search-to-chart-a-trend-line-over-time/m-p/229989#M68150 woodcock 2016-06-27T17:57:05Z https://community.splunk.com/t5/Splunk-Search/How-to-edit-my-search-to-chart-a-trend-line-over-time/m-p/229990#M68151 <P>Didn't work. </P> <P>Adding any of the timechart throws error "No results found".</P> Tue, 28 Jun 2016 11:23:25 GMT https://community.splunk.com/t5/Splunk-Search/How-to-edit-my-search-to-chart-a-trend-line-over-time/m-p/229990#M68151 koushiknandan 2016-06-28T11:23:25Z https://community.splunk.com/t5/Splunk-Search/How-to-edit-my-search-to-chart-a-trend-line-over-time/m-p/229991#M68152 <P>Show us the results of your first search.</P> Tue, 28 Jun 2016 13:40:15 GMT https://community.splunk.com/t5/Splunk-Search/How-to-edit-my-search-to-chart-a-trend-line-over-time/m-p/229991#M68152 woodcock 2016-06-28T13:40:15Z https://community.splunk.com/t5/Splunk-Search/How-to-edit-my-search-to-chart-a-trend-line-over-time/m-p/229992#M68153 <P>The query would show the following data in a table. I only want the TPS data to show as a trendline (chart).</P> <PRE><CODE> Start Time - 2016-04-07 13:41:59 End Time - 2016-04-07 16:20:59 Count (ITIM_ID) - 100 TPS=(End Time-Start Time/Count(ITIM_ID)) - 56.76 *No. as per formulae* </CODE></PRE> <P>Thanks,<BR /> Koushik</P> Tue, 28 Jun 2016 14:07:10 GMT https://community.splunk.com/t5/Splunk-Search/How-to-edit-my-search-to-chart-a-trend-line-over-time/m-p/229992#M68153 koushiknandan 2016-06-28T14:07:10Z https://community.splunk.com/t5/Splunk-Search/How-to-edit-my-search-to-chart-a-trend-line-over-time/m-p/229993#M68154 <P>We need to see the actual event data returned by your search, without reformatting/summarizing.</P> Tue, 28 Jun 2016 14:16:16 GMT https://community.splunk.com/t5/Splunk-Search/How-to-edit-my-search-to-chart-a-trend-line-over-time/m-p/229993#M68154 woodcock 2016-06-28T14:16:16Z https://community.splunk.com/t5/Splunk-Search/How-to-edit-my-search-to-chart-a-trend-line-over-time/m-p/229994#M68155 <P>PERFORM 2015/06/29 14:11:21 -A- data available: 'XXXXXXX21467025246209'<BR /> PERFORM 2015/06/29 14:11:21 -A- 5.7_WOLFER 'XXXXXXX21467025246209'<BR /> PERFORM 2015/06/29 14:11:21 -A- data available: 'XXXXXXX21467025246225'<BR /> PERFORM 2015/06/29 14:11:21 -A- 5.7_WOLFER 'XXXXXXX21467025246225'<BR /> PERFORM 2015/06/29 14:11:24 -A- data available: 'XXXXXXX21467025246265'<BR /> PERFORM 2015/06/29 14:11:24 -A- 5.7_WOLFER 'XXXXXXX21467025246225'<BR /> PERFORM 2015/06/29 14:11:25 -A- data available: 'XXXXXXX21467025246205'<BR /> PERFORM 2015/06/29 14:11:25 -A- 5.7_WOLFER 'XXXXXXX21467025246225'</P> <P>In the above log, count of ITIM_ID is 4</P> <P>EARLIEST = 2015/06/29 14:11:21<BR /> LATEST = 2015/06/29 14:11:25</P> <P>Difference = 4 seconds</P> <P>TPS = 4/4 = 1</P> <P>When I am running the above query for an hour, I am getting TPS value of the hour.</P> <P>But, is it possible to get the same data over a trendline, which would say if the TPS value is varying over time, or, remaining fixed? All ideas are welcome.</P> <P>Many Thanks,<BR /> Koushik</P> Tue, 29 Sep 2020 10:05:03 GMT https://community.splunk.com/t5/Splunk-Search/How-to-edit-my-search-to-chart-a-trend-line-over-time/m-p/229994#M68155 koushiknandan 2020-09-29T10:05:03Z https://community.splunk.com/t5/Splunk-Search/How-to-edit-my-search-to-chart-a-trend-line-over-time/m-p/229995#M68156 <P>@woodcock, can you please help me out on this?</P> Mon, 11 Jul 2016 16:35:26 GMT https://community.splunk.com/t5/Splunk-Search/How-to-edit-my-search-to-chart-a-trend-line-over-time/m-p/229995#M68156 koushiknandan 2016-07-11T16:35:26Z https://community.splunk.com/t5/Splunk-Search/How-to-edit-my-search-to-chart-a-trend-line-over-time/m-p/229996#M68157 <P>Try this (5 min interval)</P> <PRE><CODE>... | eval TPS=count/(LATEST-EARLIEST) | bucket bins=288 EARLIEST | stats count TPS by EARLIEST </CODE></PRE> Mon, 11 Jul 2016 18:23:38 GMT https://community.splunk.com/t5/Splunk-Search/How-to-edit-my-search-to-chart-a-trend-line-over-time/m-p/229996#M68157 sundareshr 2016-07-11T18:23:38Z https://community.splunk.com/t5/Splunk-Search/How-to-edit-my-search-to-chart-a-trend-line-over-time/m-p/229997#M68158 <P>I used this to fake the events:</P> <PRE><CODE>|noop|stats count AS raw|eval raw= "PERFORM 2015/06/29 14:11:21 -A- data available: 'XXXXXXX21467025246209':: PERFORM 2015/06/29 14:11:21 -A- 5.7_WOLFER 'XXXXXXX21467025246209':: PERFORM 2015/06/29 14:11:21 -A- data available: 'XXXXXXX21467025246225':: PERFORM 2015/06/29 14:11:21 -A- 5.7_WOLFER 'XXXXXXX21467025246225':: PERFORM 2015/06/29 14:11:24 -A- data available: 'XXXXXXX21467025246265':: PERFORM 2015/06/29 14:11:24 -A- 5.7_WOLFER 'XXXXXXX21467025246225':: PERFORM 2015/06/29 14:11:25 -A- data available: 'XXXXXXX21467025246205':: PERFORM 2015/06/29 14:11:25 -A- 5.7_WOLFER 'XXXXXXX21467025246225'" | makemv delim="::" raw | mvexpand raw | rex field=raw "(?&lt;sourcetype&gt;\S+)\s+(?&lt;time&gt;\S+\s+\S+)\s+-A-\s+(?&lt;ITIM_ID&gt;.*?)\s+'" | eval _time=strptime(time,"%Y/%m/%d %H:%M:%S") </CODE></PRE> <P>Then I added this which does the work and worked for me:</P> <PRE><CODE>| stats range(_time) AS spanSeconds count BY ITIM_ID | eval TPS = count/spanSeconds </CODE></PRE> Mon, 11 Jul 2016 23:29:58 GMT https://community.splunk.com/t5/Splunk-Search/How-to-edit-my-search-to-chart-a-trend-line-over-time/m-p/229997#M68158 woodcock 2016-07-11T23:29:58Z